DNS Certification Authority Authorization

The history of RFC6844 began as Internet Draft in october 2017; the defacement of some CAs in 2011 was not enough to bring out this work, perhaps still immature (it will become RFC in 2013), until in 2017, [it was made mandatory for all CAs] (https: //blog.qualys. com / ssllabs / 2017/03/13 / caa-mandated-by-cabrowser-forum)

The addition of the new DNS Resource Records CAA (type 257) let you to protect your domain by specifying:

which CAs are authorized to issue certificates for the domain

which CAs are authorized to issue wildcard certificates for the domain

who must be notified of requests that violate the published conditions

CAs, when receiving a certificate request for a domain protected by DNS CAA, must check if they are authorized to issue the certificate, otherwise notify the domain owner using the method published in the CAA record.

The configuration of CAA records is very flexible: it is possible, in fact, to allow multiple CAs to issue certificates for the entire domain, or specify that some less expensive CAs can issue certificates for the domain, but that some hosts must have certificates issued by other more expensive and secure CAs.

A Rated

Thanks to these suggestions, the ranking of this site has gone from B to A.